Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

[vittorio.bertocci@auth0.com]

Fair. I went back to the aggregated research rather than the individual emails and I did find those samples from you- thanks for pointing this out. Nonetheless, I don’t think this changes the main argument. Symmetric isn’t disallowed, it just cannot give a complete end to end solution that would increase the likelihood prompt interoperability out of the box, hence it seems meaningful to recommend it in an interop profile.

 

From: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> 
Sent: Wednesday, March 25, 2020 8:10 AM
To: Vittorio Bertocci <vittorio.bertocci@auth0.com>
Cc: Richard Backman, Annabelle <richanna@amazon.com>; oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] WGLC on "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens"

 

 

 

On Wed, Mar 25, 2020 at 3:53 AM Vittorio Bertocci <vittorio.bertocci=40auth0.com@dmarc.ietf.org <mailto:40auth0.com@dmarc.ietf.org> > wrote:

>4 p1: Saying asymmetric signatures are RECOMMENDED presupposes that key distribution is the implementer’s primary concern. MAC-based implementations shouldn’t be seen as some weird edge case scenario (though it’d be worth including some Security Considerations text calling out the key distribution challenges when dealing with loosely coupled ASes and RSes).

In the spirit of achieving the simplest, most actionable core interop profile, with as little left as exercise to the reader as possible, I would prefer to keep symmetric keys out of scope. 

Although you are right that MAC-based implementations have a role to play in the OAuth2 ecosystem, key distribution is a problem left to the developer to solve; and all the sample JWTs ATs I got from the providers I worked with were signed with discoverable keys.

Again, that doesn’t mean that MAC-based implementations shoulnd’t be used: only that this profile focuses on a solution that is as close to turnkey as possible for developers, and that requests as little delta as possible to providers already using JWT for their ATs.

 

I'm not trying to re-litigate the decision or question consensus but I will ask that you don't use the justification that "all the sample JWTs ATs I got from the providers I worked with were signed with discoverable keys" because I explicitly included several example JWT ATs in the samples that I provided that were using AEAD symmetric encryption, which is similar to MAC-based but with the added benefit of confidentiality of the claims payload. 

 

See also https://mailarchive.ietf.org/arch/msg/oauth/DAFccKDPJRhA5Z-vLIrx7u5XU4Q/

 

 


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.